Sponsored Links

FBI, Homeland Security detail how Iranian hackers stole US voter data

Poorly configured sites were partly to blame.
Voters wait in line to enter a polling place and cast their ballots on the first day of the state's in-person early voting for the general elections in Durham, North Carolina, U.S. October 15, 2020.    REUTERS/Jonathan Drake     TPX IMAGES OF THE DAY
Jon Fingas
Jon Fingas|@jonfingas|October 31, 2020 12:03 PM

US officials are shedding more light on how Iran-linked hackers stole voter info to send intimidating emails to Democrat voters. The FBI and Homeland Security’s CISA have issued an advisory (via Bleeping Computer) explaining the campaign, which ran from September 20th through October 17th. There was plenty of preparation, the agencies said, and poor defenses were at least partly to blame.

The intruders spent several days just scanning sites for vulnerabilities using a security tool from Acunetix. They also spent time researching specific exploits, including ones to spot and bypass web firewalls. They used the know-how to take advantage of election site vulnerabilities, including misconfigured sites. The techniques included SQL injections, web shell uploads and even “unique” site flaws. Scripts made “several hundred thousand” queries to download voter data.

They made at least some attempt to cover their tracks. Many of the linked IP addresses come from NordVPN’s service as well as other VPN providers.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

The attackers obtained voter registration info for “at least one” state, officials said, although they unsurprisingly weren’t specific about the nature of that breach or the volume of data taken.

CISA and the FBI made several recommendations that, unfortunately, would be givens for many other organizations. They advised keeping systems updated with security patches, to scan for common web flaws like SQL injections, and to protect against web shells. Administrators should have two-step verification, too. Like it or not, election systems still have basic failings — it may be a long while before your voting info is truly secure.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.